This forum is now a read-only archive. All commenting, posting, registration services have been turned off. Those needing community support and/or wanting to ask questions should refer to the Tag/Forum map, and to http://spring.io/questions for a curated list of stackoverflow tags that Pivotal engineers, and the community, monitor.

Authentication method for RPC

Mar 31st, 2005, 04:27 PM

I'm fairly new to Acegi and I just need a little push in the right direction.

I'm working with Laszlo which offers RPC functionality for calling methods on Java objects from a rich-flash client. The Java objects reside on a web server and I believe the flash client (created by Laszlo) just calls the main Laszlo servlet and the HttpRequest object contains the name of a class and the method within that class to call.

I would like to secure the methods on the Java class hosted on my web server that is being called from the flash client. Since the RPC request goes through the Laszlo servlet, and since I'm wanting to secure methods in a Java class being called by that servlet, should use method security or filter security or a combination of the two?

Keep in mind that the Laszlo servlet is accessed for other reasons beside the RPC calls, so it cannot be entirely locked down. It must receive anonymous calls, but when the servlet acts as a proxy for calling methods on my Java class, I would like Acegi to step in an check the users credientals. It almost seems to me that I need to setup a filter that applies method-security rather than file (JSP) security.

I think you should be OK as long as you have the filters in place. You don't actually need to deny access to any URLs but they are needed to allow Acegi to interact with the Http requests and to kick off the login process when an AuthenticationException occurs. If you have a look at the SecurityEnforcementFilter

Comment

Thank you both for your replies. I've been pondering the way to make this work and my first question is how to authenticate using the Laszlo client frontend. Do I need to authenticate using a type of webapplication-style process (ie forms-based authentication) or should I pass the userid and password to some sort of custom class that creates the authentication object manually and puts it in the session? From my Laszlo client, I have either option. I can make a forms-based authentication request, simulating a normal HTML form submission by passing in the action=j_acegi_security_check and the j_username, j_password fields. Alternatively, I can issue a Java RPC call and pass in the userid and password to my backend Java class and have it manually create the authentication object and put it in the session. I'm not sure which way is correct.

Keep in mind that once I authenticate, I'll want to make calls to the backend Java RPC class (through the web application) which I will have secured by a methodsecurity interceptor. This interceptor should consult the authentication object in the session to determine access to the methods in that class. Any results (or authentication errors) will need to be sent back in the form of a response to the RPC call, not as a pointer to some JSP error page.

Any suggestions on which way to go are very much appreciated.

Comment

I went ahead and tried using a the MethodSecurityInterceptor to try and catch RPC calls to my backend services, while putting the FilterSecurityInterceptor in place to trigger the HttpSession ContextHolder management. I think I'm fairly close to making it work, but I'm now stuck. My problems seem to center around Anonymous authentication. I basically want no web security at all right now. I just want to manually authenticate uses with my back RPC class and then have the Authentication object stored in my ContextHolder (and HttpSession) so I can authenticate future method calls using my MethodSecurityInterceptor. My Laszlo Flash UI is calling the Login function in my backend Java class, and I'm successfully authenticating the user and putting the Authentication object into the ContextHolder. However, now that the user is Authenticated, the fact that all my web resource are accessible by ROLE_ANONYMOUS in the FilterSecurityInterceptor is preventing my now-authenticated user from accessing the web resource to continue using the application!

There are three concrete AccessDecisionManagers provided with the Acegi Security System for Spring that tally the votes. The ConsensusBased implementation will grant or deny access based on the consensus of non-abstain votes. Properties are provided to control behavior in the event of an equality of votes or if all votes are abstain. The AffirmativeBased implementation will grant access if one or more ACCESS_GRANTED votes were received (ie a deny vote will be ignored, provided there was at least one grant vote). Like the ConsensusBased implementation, there is a parameter that controls the behavior if all voters abstain. The UnanimousBased provider expects unanimous ACCESS_GRANTED votes in order to grant access, ignoring abstains. It will deny access if there is any ACCESS_DENIED vote. Like the other implementations, there is a parameter that controls the behaviour if all voters abstain.

Because I'm using /**=ROLE_ANONYMOUS,ROLE_EDITOR,ROLE_ADMIN, why is it trying to reauthenticate to login.jsp over and over? (My previous post shows my applicationContext.xml file with the Filters that route the user to login.jsp. Keep in mind that I'm not currently using this for anything as the Laszlo application is handling all the authentication manually. I may put two UI's on this, one Laszlo and one JSP so I figured I'd set it up with both types of authentication. For now, if the user is not 'authenticated' I would like the user to be set as anonymous so they can continue since I do not have any security settings for any of my web resources, just my methods in my Java classes.).

Any ideas?

Comment

Here is my goal. I eventually want to have two frontends: one JSP front end and one Laszlo (rich flash UI) front end. The JSP frontend will work like a normal JSP application and I think I can get that working with Acegi. However, when a user accesses the Laszlo frontend, they will need Anonymous access to the *.lzx files that display the UI. All security for Laszlo UI users will be done at the method level using the MethodSecurityInterceptor. I will handle logins manually for these users, placing the the Authententication object in the ContextHolder in my backend Java class.

So I guess I could create two directories: /jsp and /lzx

Then I could setup web resource security (i.e. jsp files etc) for everything in the /jsp folder and then
allow anonymous access to everything in the /lzx folder. It appears to me that my interceptors and filters are fighting amongst each other causing loops etc.

Can you help me sort this out?

Comment

I think I got it partially figured out: I was using a UnanimousBased AccessDecisionManager rather than an AffirmativeBased. This caused my roles of [ROLE_ANONYMOUS, ROLE_EDITOR] to fail when a user with only one role tried to access the protected resource.

Comment

I think I got it partially figured out: I was using a UnanimousBased AccessDecisionManager rather than an AffirmativeBased. This caused my roles of [ROLE_ANONYMOUS, ROLE_EDITOR] to fail when a user with only one role tried to access the protected resource.

Great, I thought it was something like that which is why I mentioned the earlier quote.